Hardware-based mobile security market heats up

By Brian Robinson

Feb 10, 2014

Cybersecurity solutions are introduced most often as software implementations, but these can be inadequate for meeting the core requirements of government agencies and other security-sensitive organizations.

That weakness, according to ABI Research, is what will push hardware-based security for mobile devices this year to a $1 billion market.

Mobile device security is a big issue for government, as agencies struggle with how to make access to data and services from those devices easier. They know the movement to mobile is inevitable, but how to make that access secure is what has held back a full-blown migration in government.

Software-based security offered through anti-virus or anti-theft apps, or the increasingly popular use of virtualization technologies to manage security in isolated environments, do not provide the level of security required in government or the financial sector, said Michela Menting, ABI’s senior analyst in cybersecurity.

“Further, existing security mechanisms that could offer better security are simply not appropriate for the mobile environment,” she said. “Those that are commonly used for PCs cannot be supported due to different hardware architectures, and because of limited resources of such things as the CPU, memory and battery.”

That’s also what the National Institute of Standards and Technology stressed in its recent guidance on hardware-based mobile security, Guidelines on Hardware-Rooted Security in Mobile Devices. Many mobile devices are not capable of providing strong security assurances because they lack hardware-based roots of trust that are increasingly built into laptops and other hosts, it said.

“Mobile devices are also vulnerable to ‘jailbreaking’ and ‘rooting,’ which provide device owners with greater flexibility over the devices (but that) also bypass important security features which may produce new vulnerabilities,” it said.

In one of its main recommendations, NIST proposed that mobile devices contain roots-of-trust security to provide a set of trusted functions and that “hardware RoTs are preferred over software RoTs due to their immutability, smaller attack surface and more reliable behavior.”

However, there are still a number of obstacles to the full emergence of a mobile hardware security market, Menting said. Not the least of those is the fact that silicon IP companies such as ARM, Trustonic JV and Samsung are taking different approaches to security, and these are clashing with approaches that major software vendors such as Intel and Microsoft are pushing.

For example, Menting said, Trustonic’s TrustZone is being incorporated into ARM’s new processor design — and ARM’s designs are a part of almost every smartphone — but chip companies that use the design have to pay an upfront license fee to gain access and also pay a royalty on each chip sold.

Therefore, even once the device is bought, additional efforts need to be made to activate the secure zone element, essentially making it a closed environment.
Meanwhile, Intel and Microsoft are taking an alternate approach, which is a standards-based focus around the UEFI/TPM (Unified Extensible Firmware Interface/Trusted Platform Module) specification.

UEFI is a new opportunity for pre-boot firmware on ARM-based systems, Menting said, since it’s a good fit with ARM’s recommendation of a generic secure firmware for TrustZone.

But UEFI/TPM is more popular at the moment with tablets and ultra books than with smartphones, she said, adding that Intel and Microsoft “are not making much inroad at the moment with smartphone OEMs. By forcing the use of UEFI in all Windows 8 devices, it seems Microsoft is driving away any chance of Android interest.”

Nevertheless, Menting said, the hardware-based security market is clearly emerging. Whether through RoTs, trusted execution environments, virtualization or kernel-based security technology, all vendors are seeking to offer security at the core in order to integrate the operating systems and other mobile-based applications.

Hardware-based mobile security was worth just $661 million at the end of 2013, Menting said, some 20 percent of the total global mobile security market. That percentage will go down slightly by 2018, to 17 percent, but overall it will still be worth $2.3 billion.